NEW QUESTION 1
What are three valid actions in a File Blocking Profile? (Choose three)

• A. Forward
• B. Block
• C. Alret
• D. Upload
• E. Reset-both
• F. Continue

Answer: ABC

Explanation: https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking-Rulebase-and-Action-Precedence/ta-p/53623

NEW QUESTION 2
A distributed log collection deployment has dedicated log Collectors. A developer needs a
device to send logs to Panorama instead of sending logs to the Collector Group. What should be done first?

• A. Remove the cable from the management interface, reload the log Collector and then re- connect that cable
• B. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
• C. remove the device from the Collector Group
• D. Revert to a previous configuration

Answer: C

NEW QUESTION 3
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

• A. Option A
• B. Option B
• C. Option C
• D. Option D
• E. Option E

Answer: B

NEW QUESTION 4
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22
Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A.
B.
C.
D.

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: C

NEW QUESTION 5
Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

• A. Microsoft Active Directory
• B. Microsoft Terminal Services
• C. Aerohive Wireless Access Point
• D. Palo Alto Networks Captive Portal

Answer: B

NEW QUESTION 6
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface
Which interface type and configuration setting will support this design?

• A. Trunk interface type with specified tag
• B. Layer 3 interface type with specified tag
• C. Layer 2 interface type with a VLAN assigned
• D. Layer 3 subinterface type with specified tag

Answer: D

NEW QUESTION 7
Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

• A. Add SSL App-ID to Rule1
• B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
• C. Add the DNS App-ID to Rule2
• D. Add the Web-browsing App-ID to Rule2

Answer: C

NEW QUESTION 8
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall
Which part of files needs to be imported back into the replacement firewall that is using Panorama?

• A. Device state and license files
• B. Configuration and serial number files
• C. Configuration and statistics files
• D. Configuration and Large Scale VPN (LSVPN) setups file

Answer: A

NEW QUESTION 9
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

• A. set deviceconfig interface speed-duplex 1Gbps-full-duplex
• B. set deviceconfig system speed-duplex 1Gbps-duplex
• C. set deviceconfig system speed-duplex 1Gbps-full-duplex
• D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Answer: B

NEW QUESTION 10
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

• A. Create a decryption rule matching the encrypted BitTorrent traffic with action “No- Decrypt,” and place the rule at the top of the Decryption policy.
• B. Create a Security policy rule that matches application “encrypted BitTorrent” and place the rule at the top of the Security policy.
• C. Disable the exclude cache option for the firewall.
• D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach theprofile to the decryption rule.

Answer: D

NEW QUESTION 11
Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

• A. URL Filtering profile
• B. Zone Protection profile
• C. Anti-Spyware profile
• D. Vulnerability Protection profile

Answer: A

NEW QUESTION 12
Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

• A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.
• B. Configuring the metric for RIP to be higher than that of OSPF Int.
• C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
• D. Configuring the metric for RIP to be lower than that OSPF Ext.

Answer: A

NEW QUESTION 13
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?

• A. A Server Profile has not been configured for logging to this Panorama device.
• B. Panorama is not licensed to receive logs from this particular firewall.
• C. The firewall is not licensed for logging to this Panorama device.
• D. None of the firwwall's policies have been assigned a Log Forwarding profile

Answer: D

NEW QUESTION 14
How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?

• A. Enable support for non-standard syslog messages under device management
• B. Check the custom-format check box in the syslog server profile
• C. Select a non-standard syslog server profile
• D. Create a custom log format under the syslog server profile

Answer: D

NEW QUESTION 15
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three)

• A. Clean
• B. Bengin
• C. Adware
• D. Suspicious
• E. Grayware
• F. Malware

Answer: BEF

Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/wildfire-features/wildfire-grayware-verdict

NEW QUESTION 16
Which protection feature is available only in a Zone Protection Profile?

• A. SYN Flood Protection using SYN Flood Cookies
• B. ICMP Flood Protection
• C. Port Scan Protection
• D. UDP Flood Protections

Answer: A

NEW QUESTION 17
How are IPV6 DNS queries configured to user interface ethernet1/3?

• A. Network > Virtual Router > DNS Interface
• B. Objects > CustomerObjects > DNS
• C. Network > Interface Mgrnt
• D. Device > Setup > Services > Service Route Configuration

Answer: D

NEW QUESTION 18
Which Captive Portal mode must be configured to support MFA authentication?

• A. NTLM
• B. Redirect
• C. Single Sign-On
• D. Transparent

Answer: B

NEW QUESTION 19
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?

• A. Change the Site-B IKE Gateway profile version to match Site-A,
• B. Change the Site-A IKE Gateway profile exchange mode to aggressive mode.
• C. Enable NAT Traversal on the Site-A IKE Gateway profile.
• D. Change the pre-shared key of Site-B to match the pre-shared key of Site-A

Answer: D